Cisco Systems Inc. this week released six security patches, with five of those aimed at denial-of-service vulnerabilities...
found within the company's IOS networking software.
The patches came as part of Cisco's biannual IOS Software Security Advisory Bundled Publication, released on the fourth Wednesday of March and September of each year. Cisco's IOS software underpins most of the company's current line of network routers and switches, which the networking giant touts as the most widely deployed networking products in the world.
The first of the IOS security patches released this week addressed two vulnerabilities found in the company's implementation of Network Address Translation (NAT), which translates IP addresses used internally on a corporate network to different addresses on outside networks.
Cisco warned that the vulnerabilities occur when the affected products are translating IP packets; if successfully exploited, they could be used to create a denial-of-service (DoS) condition.
One of the vulnerabilities is found in the Application Layer Gateway module of IOS and could be triggered by an attacker sending malformed DNS packets, while the other flaw is located in the TCP Input module, and could be prompted by a specific sequence of TCP packets.
Though unaware of any current exploits utilizing these vulnerabilities, Cisco warned that devices running its IOS software are affected when configured for NAT; as of now, there are no workarounds of the TCP Input vulnerability.
"To determine whether NAT has been enabled in the Cisco IOS Software configuration, log in to the device and issue the 'show ip nat statistics' command," Cisco said in its security advisory. "If NAT is active, the sections 'Outside interfaces' and 'Inside interfaces' will each include at least one interface."
Cisco addressed a separate vulnerability in its IOS and IOS XE software that occurs due to its implementation of the IPv6 protocol stack. The vulnerability can be delivered remotely by sending malformed IPv6 packets, and if successful, an exploit would result in I/O memory depletion on an affected device. There is no workaround available for devices that require an IPv6 configuration.
"Memory depletion could cause routing protocols to fail, remote access to the device to be inaccessible, and could cause a reload of the affected device," Cisco said in its security advisory. "Repeated exploitation could result in a sustained denial-of-service (DoS) condition."
Cisco patched two more remotely exploitable vulnerabilities that, if successfully exploited, could force targeted devices to reload. One was found in the Session Initiation Protocol (SIP) implementation of IOS and IOS XE, which is used to establish multimedia sessions and Internet telephony calls. No workarounds are available if a device requires SIP, according to the advisory, but this vulnerability can be mitigated to some extent by allowing only legitimate devices to connect.
The other vulnerability is found in the Internet Key Exchange Version 2(IKEv2) module of IOS and IOS XE, which is used to handle cryptographic attributes when encrypting or authenticating a communication session. Again, this flaw can be remotely exploited by an attacker by sending malformed IKEv2 packets.
Finally, a remotely exploitable DoS vulnerability was patched in the SSL VPN subsystem of IOS. Again, the flaw occurs when an affected device processes a certain type of HTTP request, which means an attacker could exploit the vulnerability simply by crafting a malicious request.
"An exploit could allow the attacker to consume and fragment memory on the affected device," the Cisco security advisory said. "This may cause reduced performance, a failure of certain processes, or a restart of the affected device."